[redhat-lspp] USER_LOGIN record no longer has acct field
Linda Knippers
linda.knippers at hp.com
Wed Sep 20 18:40:37 UTC 2006
Steve Grubb wrote:
> On Wednesday 20 September 2006 12:58, Linda Knippers wrote:
>
>>>In the case where we log a message pre-authentication, you get acct since
>>>it did not correlate to a uid.
>>
>>I think it would be nice if the success message and the failure
>>message had the same information, so acct in both cases if that's
>>all we can get for the failure case.
>
>
> The audit system throughout has favored uids to names for compactness. Also
> users can change their name but rarely their uid. In all the trusted apps,
> the uid is more trustworthy since it has already been verified.
>
>
>>type=USER_LOGIN msg=audit(1158674606.789:1503): user pid=10052 uid=0
>>auid=0 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255 msg='uid=0:
>>exe="/usr/sbin/sshd" (hostname=16.116.117.213, addr=2.0.0.0,
>>terminal=/dev/pts/3 res=success)'
>>
>>type=USER_LOGIN msg=audit(1158668540.641:1460): user pid=9595 uid=0
>>auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c255
>>msg='acct=root: exe="/usr/sbin/sshd" (hostname=?, addr=?, terminal=sshd
>>res=failed)'
>>
>>Do you know why we often get an addr of 2.0.0.0?
>
>
> I'd have to trace through the code and know about your network.
I don't think its related to our network. I noticed that Loulwa's
example also had a 2.0.0.0 address.
>>Also, why does terminal=sshd in the failure case?
>
>
> I think the terminal isn't claimed until session open.
>
>
>>And are we not able to get the hostname and other info in that case?
>
>
> I'd have to look at the code. Patches are welcome... :)
>
> -Steve
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
More information about the redhat-lspp
mailing list